2.2.8pre2 Compiler Warnings On Digital Unix 4.0D
Following up my post on 4.March.2003 reporting ./configure failure on DU 4.0D for Samba 2.2.8pre2 --with-pam, I have now configured compiled 2.2.8pre2 --with-winbind (but no PAM), and want to report the selection of scary warnings that the Compaq C compiler throws up by default. The following is just a representative sample (I could post the lot if anyone really wants them) - and I have found they can *all* be eliminated by editing source/Makefile to specify the compiler flag -w which reduces the warning level from the default (thanks to Ludolf Holzheid). I have previously reported very similar compiler warnings when building 2.2.2 on this box (October 2001), at which time I received varied advice including (a) use GCC instead of Compaq C (Andrew Esh), (b) keep using Compaq C because it generates better code on DU (John Malmberg), (c) reduce the compiler's sensitivity level (Ludolf Holzheid). I've currently followed (b) and (c). It occurs to me that maybe ./configure should automatically include CFLAGS=-O -w in the Makefile for Digital Unix platforms (maybe Tru64 as well - I don't have one to try) ... especially if you guys still think all these warnings are spurious or wrong. Here's the selection of warnings : cut cc: Warning: libsmb/clifile.c, line 57: In this statement, before array data is ignored. (char *)data, data_len, cli-max_xmit /* data, length, max */ cc: Warning: libsmb/smbencrypt.c, line 243: In this statement, before array (unicode_passwd) is ignored. ZERO_STRUCT(unicode_passwd); cc: Warning: rpc_server/srv_samr_nt.c, line 132: In this statement, before array pass[i].lm_pwd is ignored. memset(pass[i].lm_pwd, '\0', sizeof(pass[i].lm_pwd)); [there are *lots* of the above kind of warning ... Ludolf Holzheid gave a very helpful explanation of them - see refs below] cc: Warning: rpc_server/srv_spoolss_nt.c, line 4290: In this statement, the referenced type of the pointer value nullstr is signed char, which is not compatible with array [256] of signed char. init_unistr_array(info-previousdrivernames, nullstr, servername); cc: Warning: rpc_parse/parse_spoolss.c, line 1209: In this statement, the referenced type of the pointer value prs_alloc_mem(...) is signed char, which is not compatible with unsigned char. r_u-data = prs_alloc_mem(ps, r_u-size); cc: Warning: passdb/secrets.c, line 291: In this statement, the referenced type of the pointer value name is const, but the referenced type of the target of this assignment is not. ret = tdb_lock_bystring(tdb, name, timeout); cc: Warning: tdb/tdb.c, line 119: In this statement, (-1) of type long, is being converted to pointer to void. if (tdb-map_ptr == MAP_FAILED) { cc: Warning: client/clitar.c, line 688: In this statement, the referenced type of the pointer value finfo.size is unsigned long long, which is not compatible with unsigned long. if (!cli_getattrE(cli, fnum, finfo.mode, finfo.size, NULL, finfo.atime, finfo.mtime)) { cc: Warning: nsswitch/winbind_nss.c, line 600: In this statement, the referenced type of the pointer value buflen is unsigned long, which is not compatible with int. get_static(buffer, buflen, strlen(pw-pw_name) + 1)) == NULL) { cut I assume the compiler makes a correct decision in each case, and that my resulting Samba binaries will work properly - and that the above just represent slight programmer caffeine emergency moments, that someone will tidy in due course. Please let me know if any of the above looks like show-stopping stuff - I can send the whole lot over if anyone wants it. refs: My post earlier this month on ./configure failing on DU4.0D for 2.2.8pre2 --with-pam : http://lists.samba.org/pipermail/samba-technical/2003-March/042874.html My post in Oct 2001 reporting compiler warnings on DU4.0D for 2.2.2 : http://lists.samba.org/pipermail/samba-technical/2001-October/031968.html Post from Ludolf Holzheid explaining some of the DU4.0D warnings for 2.2.2 : http://lists.samba.org/pipermail/samba-technical/2001-October/032071.html Post from John Malmberg stating that the Compaq C compiler is right for DU : http://lists.samba.org/pipermail/samba-technical/2001-October/032058.html Cheers, Nick Boyce EDS, Bristol, UK
2.2.8pre2 Won't Configure On Digital Unix 4.0D
I decided to have a look at 2.2.8pre2 on a Digital Unix box we run here - and configure runs fine like this : ./configure --with-winbind ... checking whether or not getgroups returns EGID too many times... no checking whether struct passwd has pw_comment... yes checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... no checking whether to use included popt... ./popt checking configure summary... yes updating cache ./config.cache creating ./config.status creating include/stamp-h creating Makefile creating script/findsmb creating include/config.h include/config.h is unchanged But because I'm also interested in making use of winbind to fully integrate some of our Unixen into an NT domain, I decided I should configure Samba to use PAM as well, like this : ./configure --with-winbind --with-pam and this configure run fails : ... checking whether or not getgroups returns EGID too many times... yes checking whether struct passwd has pw_comment... yes checking whether struct passwd has pw_age... no checking for poptGetContext in -lpopt... no checking whether to use included popt... ./popt checking configure summary... configure: error: summary failure. Aborting config I'm just reporting this as a test result, though of course I'd be interested in any solution there may be (or explanation of error: summary failure). I'm happy to try any further tests you folks may want. Cheers Nick Boyce EDS Southwest Solution Centre, Bristol, UK
RE: Annoying Minor Bug In Winbind 2.2.x
On 19 Feb 2003, Andrew Esh wrote: It's probably a line count thing. The head of the patch contains a certain range of lines that the patch should apply to. If you truncated the patch at the bottom, the header could be telling patch it needs to add, for example, 30 lines, while the patch text only contains 28 ... That line of stars is part of the patch, and maybe a few blank lines below it. Thanks - that was it - the two blank lines below the line of stars were part of the patch (a fact I was able to confirm by comparing with the CVS web ref Martin posted) but I'd missed them out. Patch applied - now recompiling Samba ... done. And now it works fine - I can restart winbindd to my heart's content and /tmp/.winbindd gets created with the right permissions and everybody's happy :) Thanks for bearing with me. Nick Boyce EDS Southwest Solution Centre, Bristol, UK
RE: Annoying Minor Bug In Winbind 2.2.x
On 7 Feb 2003, Martin Pool wrote: On 6 Feb 2003, Boyce, Nick [EMAIL PROTECTED] wrote: I find what seems to be an obvious, simple and annoying buggette - if I stop and restart winbind (the sort of thing you do a lot at this stage) then it fails to restart, with this message in /var/log/samba/log.winbindd : invalid permissions on socket directory /tmp/.winbindd Here's the permissions : /etc# ls -ld /tmp/.w* drwxr-x---2 root root 4096 Feb 6 21:33 /tmp/.winbindd The error is emitted from create_pipe_sock, which checks that the permissions on the directory are exactly what winbind expects them to be (0755). Obviously those permissions are not correct, which would seem to be a problem because it might prevent non-root processes from accessing winbindd. This looks very much like a umask problem. Thanks - that was it. I now have a script /usr/local/bin/winbind, which does umask 000 /etc/init.d/winbind $1 umask 027 and everything is working ok now - I can stop restart winbind to my heart's content without any problem (well no socket directory permissions problems anyway ;-) [ I'm afraid I always run with umask=027 ... it's a hangover from my mainframe days ... I can't get away from the idea that you should grant only the access that is needed ... all files world-readable by default ? ... Just Say No ] Thanks a lot. Nick Boyce EDS Southwest Solution Centre, Bristol, UK
RE: Trusted domains' users and Samba
On 6th.Feb.2003 Szilva wrote : 2. What version of samba are you running? The version is 2.2.3a-6 for Debian that was shipped with distribution (Woody). On behalf of yourself, your users, and Net users everywhere in general :), can I plead with you to install the later security-fixed version of Samba-for-Debian ? The current stable security-fixed Debian Samba is 2.2.3a-12. See http://www.debian.org/security/2002/dsa-200 dated 22.Nov.2002, concerning a potential remote root hole. It won't make any difference to the --sequence option - it's still not there - but things might work better for you. PS: I'm just attempting to configure Debian Samba 2.2.3a-12 winbind to allow login authentications against a real NT domain (with a trusted domain) myself, so I'll let you know if it works for me. I can certainly see the domain my Samba server's domain trusts, in the output from wbinfo -m. Nick Boyce EDS Southwest Solution Centre, Bristol, UK -Original Message- From: Szilvsy Zoltn [mailto:[EMAIL PROTECTED]] Sent: 06 February 2003 11:16 To: [EMAIL PROTECTED] Subject: RE: Trusted domains' users and Samba Idzet Marc Kaplan [EMAIL PROTECTED] levelbl It should be connecting to the trusted domain by default. 1. What does wbinfo --sequence show you? Wbinfo tells it does not support --sequence option. However wbinfo -m shows DOM2 in the list. 2. What version of samba are you running? The version is 2.2.3a-6 for Debian that was shipped with distribution (Woody). szilva
Annoying Minor Bug In Winbind 2.2.x
As per my message an hour or so ago, I'm trying to get the winbind that comes with Debian 3.0 Samba 2.2.3a-12 configured to allow me to telnet into the box with authentication handed off to a real NT domain. Anyway, even before I really get started, I find what seems to be an obvious, simple and annoying buggette - if I stop and restart winbind (the sort of thing you do a lot at this stage) then it fails to restart, with this message in /var/log/samba/log.winbindd : invalid permissions on socket directory /tmp/.winbindd Here's the permissions : /etc# ls -ld /tmp/.w* drwxr-x---2 root root 4096 Feb 6 21:33 /tmp/.winbindd A quick Google Groups search (Samba.org's own archives being unsearchable) comes up with just one hit : http://groups.google.com/groups?q=%22invalid+permissions+on+socket+directory +/tmp/.winbindd%22hl=enlr=ie=UTF-8oe=UTF-8selm=b29cf7d1.0301240738.6e61 2f4a%40posting.google.comrnum=1 This guy's solution certainly works for me (simply rename the faulty socket directory out of harm's way), but ... surely you folks saw this buggette a few lightyears ago down the way. Is it a known bug ? Does a later Samba 2.2.x version fix it ? Cheers, Nick Boyce EDS Southwest Solution Centre, Bristol, UK
RE: tracking user logins
On Wednesday, November 27, 2002, at 19:55 PM, Jim Morris wrote: I must say that I know of no NT/2000 option to allow only login from one client PC, although I recall Netware having such an option. Agreed again. (I think you meant something different from the facility John Terpestra referred to - on NT/2K you can specify which machines, perhaps only one, that a user account can use, but you can't specify Maximum number of concurrent sessions; on Netware you can do both.) Giving the growing presence of Samba in the large enterprise, with more and more companies becoming security conscious as time goes forward, we are going to hit these type issues more and more. Mmm. I've only *just* managed to demonstrate to the Powers-That-Be around here the full horror of an unswitched LAN with unencrypted passwords and a sniffer ... so _now_ changes are underway. Password encryption *with* failed login tallying *will* be part of security policy .. ... What is needed is an examination of the various security policies that can be setup in an NT/2000 Server environment, so that a list of such items that are appropriate to a Samba environment can be built. I'd just like to add a vote for another item for this list - something which can be done on Netware, VMS, and on some Unixen, but not NT/2K (AFAIK) - allow a password expiry grace period to be configured if desired - a period of time after a password has expired, during which a user account can still login but is forced straight into a password-change dialog. This allows for those occasions when (e.g.) someone is away for a whole month, during which their password expires. ... I would be glad to help in this effort in any way I can, including documentation and code. Likewise, but only for documentation .. Nick Boyce EDS Southwest Solution Centre, Bristol, UK
Correction To DOMAIN_MEMBER.html
[this is almost too trivial to bother with, but in the interests of accuracy ..] I just converted a Samba 2.2.3a-for-Debian server from being a stand-alone workgroup member using plain-text passwords into a full NT-administered domain member using encrypted passwords and security=domain. This being the first server we've done this with, I paid attention to the apparent authoritative document on the subject, DOMAIN_MEMBER.html in docs/htmldocs. It runs pretty much like this : cut In order to join the domain, first stop all Samba daemons and run the command: root# smbpasswd -j DOM -r DOMPDC -UAdministrator%password [...] Now, before restarting the Samba daemons you must edit your smb.conf(5) file to tell Samba it should now use domain security. Change (or add) your security = line in the [global] section of your smb.conf to read: security = domain Next change the workgroup = line in the [global] section to read: workgroup = DOM as this is the name of the domain we are joining. You must also have the parameter encrypt passwords set to yes in order for your users to authenticate to the NT PDC. cut So, in plodder fashion, that's the order I tried to do things in. Unfortunately, unless you edit smb.conf to set encrypt passwords = yes *first*, you can't run the smbpasswd domain-joining call - it fails with : SAMBABOX:/etc/samba# smbpasswd -j MYDOMAIN -r MYPDC -Uadminuser%adminpassword Error connecting to MYPDC Unable to join domain MYDOMAIN. I just thought it might help other folks, to document this explicitly. I spent a couple of hours trying to figure out what I was doing wrong, jacking up the Samba debug level, getting Ethereal traces of the join operation, etc. ... I checked, and it's still the same in the version posted on the Samba.org website, although there's also Samba-HOWTO-Collection.html which has a section Make Samba a member of an MS Windows NT security domain which documents the same thing in a somewhat different and perhaps less confusing manner. I'd have gladly produced an edited version of DOMAIN_MEMBER.html for consideration, but I know the project uses Docbook for this stuff, and I don't know the first thing about that :( Cheers Nick Boyce EDS, Bristol, UK
RE: Running smb without nmb? (Linux Suse 8.1 feature)
[sorry - bit of a belated reply - I have a bit of a backlog to read] On 23rd.Oct.2002, Linda Walsh asked : I recently upgraded my Linux distro to SuSE 8.1 which came w/samba 2.2.5. A feature of the upgrade was that it 'split' the startup script for samba from 1 script for _smb_ _nmb_ to 2 scripts. So how/why would splitting these scripts be a good thing? I can think of one good reason why a sysadmin might want to *re*start nmb without restarting smb - loss of WINS registration. For us, that happens periodically to the registration of our Samba boxen with our corporate Windows WINS servers, and I _think_ the underlying cause is that the WINS servers get rebooted. The first we notice is that calls start coming in from people who can no longer map network drives to the Sambas, or can no longer contact development webservers on the same boxes by NetBIOS name alone. A simple restart of nmb solves the problem, and restarting smb at the same time would be both unnecessary and undesirable. Nick Boyce EDS Southwest Solution Centre, Bristol, UK
RE: [Samba] Re: How Samba let us down
Reading through Jeremy's eagerly awaited discourse on oplocks/share modes/locking, I read this bit : ... if you need simultaneous file access from a Windows and UNIX client you *must* have an application that is written to lock records correctly on both sides. Few applications are written like this, and even fewer are cross platform (UNIX and Windows) so in practice this isn't much of a problem. but my brain kept stumbling over isn't much of a problem (;-) surely that should say isn't much of a solution ? I only mention it in the interests of honing the discourse as it heads towards the docs. Cheers Nick Boyce EDS Southwest Solution Centre, Bristol, UK
FW: assignment discards qualifiers from pointer target-samba-3.0-alpha18
San asked the original question. *I* can't answer it, but I thought I'd help out by pointing out to him that he didn't specify what kind of system compiler he's using. He replied, but personally to me, which won't get him very far :-( So here's his system data (he still hasn't said what hardware architecture he's working on though). Nick Boyce EDS, Bristol, UK -Original Message- From: san [mailto:[EMAIL PROTECTED]] Sent: 24 July 2002 17:27 To: Boyce, Nick Subject: Re: assignment discards qualifiers from pointer target-samba-3.0-alpha18 Hi Nick Boyce, I am using RedHat 7.1, gcc-2.96-81 krb5-devel-1.2.2-4, krb5-workstation-1.2.2-4 ,krb5-libs-1.2.2-4 kernel: kernel-2.4.3-12 Regards, San System Administrator www.unisoftindia.net - Original Message - From: Boyce, Nick [EMAIL PROTECTED] To: 'san' [EMAIL PROTECTED] Sent: Wednesday, July 24, 2002 9:36 PM Subject: RE: assignment discards qualifiers from pointer target-samba-3.0-alpha18 Good grief San ! Don't you think it might help the Samba gurus if you specified what system type and compiler you're using ? Nick Boyce EDS, Bristol, UK -Original Message- From: san [mailto:[EMAIL PROTECTED]] Sent: 24 July 2002 14:04 To: [EMAIL PROTECTED] Subject: assignment discards qualifiers from pointer target-samba-3.0-alpha18 Hi all! While compiling i am getting the following error messages passdb/secrets.c: In function `secrets_fetch': passdb/secrets.c:61: warning: assignment discards qualifiers from pointer target type passdb/secrets.c: In function `secrets_store': passdb/secrets.c:77: warning: assignment discards qualifiers from pointer target type passdb/secrets.c: In function `secrets_delete': passdb/secrets.c:93: warning: assignment discards qualifiers from pointer target type passdb/pdb_ldap.c: In function `ldapsam_search_one_user': passdb/pdb_ldap.c:340: warning: passing arg 5 of `ldap_search_s' from incompatib le pointer type passdb/pdb_ldap.c: In function `search_top_nua_rid': passdb/pdb_ldap.c:1011: warning: passing arg 5 of `ldap_search_s' from incompati ble pointer type passdb/pdb_ldap.c: In function `ldapsam_setsampwent': passdb/pdb_ldap.c:1109: warning: passing arg 5 of `ldap_search_s' from incompati ble pointer type lib/util_str.c: In function `all_string_sub_w': lib/util_str.c:839: warning: initialization discards qualifiers from pointer tar get type libads/kerberos.c: In function `kerberos_kinit_password': libads/kerberos.c:76: warning: passing arg 6 of `krb5_get_init_creds_password' discards qualifiers from pointer target type How do i solve Regards, San